diff --git a/entrypoint.sh b/entrypoint.sh
index 5379521..6e0043e 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -70,15 +70,18 @@ if [ ! -f /var/lib/samba/private/secrets.tdb ]; then
   echo "Joining domain using net ads"
   mkdir -p /var/lib/samba/private
   mkdir -p /var/lib/samba/printerdrivers
+
+  # Allow adding printer drivers for Administrator
+  setfacl -m "g:Domain Admins:rwx" /var/lib/samba/printerdrivers
+  setfacl -m "d:g:Domain Admins:rwx" /var/lib/samba/printerdrivers
+
+  # Join
   net ads join --no-dns-updates -U"$ADMIN_ACCOUNT"%"$ADMIN_PASSWORD"
 
   /etc/init.d/winbind start
   /etc/init.d/smbd start
 
-  # Allow adding printer drivers for Administrator (for Domain Admins it does not work)
-  setfacl -R -m "u:$ADMIN_ACCOUNT:rwx" /var/lib/samba/printerdrivers
-
-  # Shares are not visible otherwise
+  # HACK: In Samba 4.16 and above shares are not visible otherwise
   sleep 5
   smbclient -L 127.0.0.1 -P
   chmod 666 /var/lib/samba/share_info.tdb